When CCPA Doesn't Apply

The California Consumer Privacy Act of 2018 (“CCPA”) is a law that grants California residents new rights to know about and control the collection, sharing, and sale of a broad array of personal information. While the CCPA broadly defines “personal information,” the definition of personal information includes one big exclusion: publicly available information.

Under the CCPA, publicly available information is any information that is lawfully made available from federal, state, or local government records.

Additionally, personal information protected by other key California state and federal legislation is explicitly not covered by CCPA. Highlights include:

  • Personal Information (often medical information) protected under the Health Insurance Portability and Accountability Act (HIPAA) is not covered. This law applies to a lot of the personal information collected by healthcare providers and related businesses
  • Personal Information (often financial information) collected by banks and financial institutions that is covered under the Gramm–Leach–Bliley Act (GLBA) it not covered. This law applies to a lot of the personal information collected by banks, insurance companies, and companies that help facilitate financing and lending, such as automotive dealerships.
  • Personal Information protected under the  Fair Credit Reporting Act (FCRA) is not covered. This law applies to personal information collected for performing background checks that involved credit reports or that is provided to credit reporting agencies.


For the full text of the law, see Cal. Civ. Code section 1798.145